Rundeck Job Notification Webhook Certificate Issue - rundeck

I have a job that Sends Notification On success or On failure. It uses the Webhook option. The webhook is a Rundeck API that executes a job.
Here is my notification setup
I've check on the rundeck.log. It has the following error:
ERROR services.NotificationService [quartzScheduler_Worker-6] - Notification failed [onsuccess,succeeded,238621]; URL https://client-dns/api/33/job/cd3b3a1b-90c9-4c99-bf29-46c5aad1b4ff/run?authtoken=6XpW50hvZoPUTtlwucKGJ7ERKOxeJCTR&option.rd_exec_id=238621: Unable to POST notification after 1 tries: success for execution 238621 (succeeded): Error making request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I fix this issue? I have already a certificate but how can I tell rundeck to use it. Thank in advance to those who'll help me.

You need to add the webhook service certificate to the Java cacert to make recognizable by Rundeck. Alternatively, if you are using Rundeck over SSL, you can add that certificate to Rundeck truststore file in the following way:
Stop the Rundeck Service.
Extract the service certificate:
echo -n | openssl s_client -connect your_service_host:your_service_port > cert.out
Add it to your Rundeck truststore file:
keytool -importcert -trustcacerts -file certs.out -alias my_service -keystore your/path/to/rundeck/truststore
Start Rundeck service.

Related

Installing azure devops extension in powershell but getting error

I am trying to install an azure DevOps extension in PowerShell using the command:
az extension add --name azure-devops
. But, getting certification error.
I tried to generate a selfsigned cert and tried to ping the url mentioned in error, was able to ping the url but error remain still there. The error is as below:
Please ensure you have network connection. Error detail:
HTTPSConnectionPool(host='objects.githubusercontent.com', port=443): Max retries exceeded with url: /github-production-release-asset-2e65be/107708057/8c8c37f1-25aa-4394-9b37-ab8655c6d437?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230210%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230210T092547Z&X-Amz-Expires=300&X-Amz-Signature=e65868999583f165ce08abf46e4e192fccffcd611847d2da76c25473f27927a4&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=107708057&response-content-disposition=attachment%3B%20filename%3Dazure_devops-0.26.0-py2.py3-none-any.whl&response-content-type=application%2Foctet-stream (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)')))
I tried generating the selfsign certificate. Tried to install on current userscope.Also, tried to ping the url mentioned in error and it was giving reply back

JMeter : SOAP Message Signer Plugin

I am trying to send a SOAP request(signed) using HTTP Request Sampler along with SOAP Message Signer plugin. Request works fine with SOAPUI. It seems to fail through JMeter if i use same parameters(for SOAP Message Signer).
As a part of SOAP Request, Header needs to be signed. I am getting the below error while Signing. Could anyone please let me know the reason for failure?
n.c.b.j.m.AbstractWSSecurityPreProcessor: Building WSS header
o.a.w.d.m.WSSecSignature: Beginning signing... ERROR
n.c.b.j.m.AbstractWSSecurityPreProcessor:
org.apache.wss4j.common.ext.WSSecurityException: No certificates for
user "cert_alias" were found for signature
Did you add in jmeter keystore the certificate under alias cert_alias?
That's what message is saying:
No certificates for user "cert_alias" were found for signature
Keystore is located in jmeter/bin folder
You may want to try this plugin:
https://github.com/tilln/jmeter-wssecurity/blob/master/README.md
Finally i was able to send a successful request using the plugin.
I was using the Signed Header as a part of SOAP request.
Plugin Config:
Keystore File : Path to .jks file
Keystore Password : password
Cert Alias - cert_alias
Cert Password - cert password
After removing the Signed Header from the SOAP request, it worked. Thanks you.
If your SOAP endpoint expects the message to be encrypted with a client-side certificate you can configure JMeter to use it by adding the next lines to system.properties file:
javax.net.ssl.keyStoreType=pkcs12 or jks
javax.net.ssl.keyStore=/path/to/your/jsk keystore or .p12 certificate
javax.net.ssl.keyStorePassword=your certificate or keystore password
JMeter restart will be required to pick the properties up.
You can also pass them via -D command line argument like:
jmeter -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=your-certificate.p12 -Djavax.net.ssl.keyStorePassword=secret
More information:
Customizing the Default Key and Trust Stores, Store Types, and Store Passwords
How to Set Your JMeter Load Test to Use Client Side Certificates

Unable to connect to GitHub API

We are getting an error "Unable to connect to GitHub API: org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://github.xxx.com/api/v3/user" when trying to use github pull request builder in jenkins
You may need to add your Certificate Authority cert to the java keytool.
If you look in your jenkins log and find something like this:
org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://github.xxx.com/api/v3/user
Scroll down and see if there is a line like this:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This error is saying that the SSL handshake failed with something about the PKIX path/certpath. Try adding your CA Cert to the keytool and restarting Jenkins to see if that helps.
Here's the post that helped me modify the java certs with the keytool. (the default keytool password is "changeit")
You can also try installing the skip certificate check plugin, in plugin manager.
it seems your java cacerts is not having correct certificate for your git URL. you may try following steps.
Step 1 : Get root certificate of https://www.google.com
Open https://www.google.com in a chrome browser.
Select Inspect from context menu(right clicking on page) and navigate to security tab
Click on view certificates
Click on top most certificate on hierarchy and confirm it is tailed with Root CA phrase.
drag and drop that image which you saw written certificate on desktop.
Thats it! you got your root certificate!
Step 2 : install certificate to your java cacerts
please verify you have system variable JAVA_HOME declared and you will perform these steps on that jre cacerts only!
Navigate to cacerts by JAVA_HOME/jre/lib/security/cacerts
Download and install keytool explorer it is available for all platforms
open cacerts in that tool and import cetificate by "import trusted certificate" button.
Save your changes (you may come across issue if it is mac and you do not have write access!)
Step 3 : Restart jenkins
You should not get ssl handshake problem now onwards.

Alexa Echo Beta SDK - Certificate issue

Amazon recently release Echo Alexa toolkit.
I received, registered my app. Alexa clearly recognizes my app exists. However it gives this error
Request Identifier:
amzn1.echo-api.request.d969c196-8b3e-4169-99c8-20f566889760 The
certificate does not have a path to a trusted authority. This happens
if you are using a self signed certificate. Voice feedback Echo heard:
"alexa start myapp"
I verified my COMODO CA (COMODO RSA Certification Auth) is on the list of authorized CA. I ensured my certificate bundle was valid.
Is there anything specific I need to ensure my bundle.crt is in the correct order for Alexa? (there is no mention that .com is required, I am using .net)
these my COMODO filenames.
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
mydomain-net.crt
ssl-bundle.crt
stn.private.key
Excited to get this to work ... please help
SA
I am now able to communicate with Alexa without issues. the source of the problem was the order of the certs and the incorrect directives in SSL and HTTP config files for apache.
I used
openssl s_client -connect 192.237.1.1:443
to verify that the certificate
Verify return code: 0 (ok)
Initially I was able to confirm the error by code and searched and fixed it.

Test internal secured web service with SoapUI?

I want to run some tests against an internal (with an internally minted cert) web service using SoapUI. I am not sure I fully grasp the SSL handshake stuff. But I exported the cert for the endpoint to a .cer file, then fired up java keytool with this command:
keytool -import -alias ca -file myservice.cer -keystore cacerts –storepass changeit
Which I got from another SO question. Then I added this truststore file (cacerts) to the project properties in SoapUI. But when I try to add a WSDL to the project, I still get the same error as before:
Error loading [https://myservice?wsdl]: org.apache.xmlbeans.XmlException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Am I completely off base? Do I add all the certs in the chain to the truststore? I wasn't able to do that, it told me that the alias was already in use? Or should I just get a cert minted from an outside trusted authority?
The SOAP UI raise the exception because your certificate not properly installed in SOAP UI trust store.
To resolve the above exception follow the below steps.
Export the certificate from the key store or browser (which contain the public key)
Go to the SOAPUI installed directory and locate following directory \SmartBear\soapUI- 4.0.1\jre\lib\security
Import the certificate in to cacerts trust store (Which is the default trust store)
Restart the SOAP UI and load the WSDL...
To understand more about SSL ... follow the below link ...JSSE documentation